I'm a pretty decent (IMO) web app penetration tester, but I'm eager to expand my knowledge of other areas of security. Given that I've just taken on something of an enhanced sysadmin role at my work, I figured it would be a pretty good opportunity to try to learn more about network and operating system security.

In general, I'd say that I have a decent understanding of broad security concepts, but networking is a major, major blind-spot for me.

Now, the question: I was thinking that it might be a good idea ("good idea") to leave a vulnerable machine exposed on my home network, with the full intention of having it breached. My plan is to install the various auditing tools (tripwire, logwatch, samhain, etc) to give me real-world experience performing post-mortems on compromised systems, because I've got very little experience there.

I'm obviously hesitant to do that, though, because I'm not 100% confident that I can confine the will-be attackers to the honeypot machine only. So - how can I do that?

To the best of my understanding (which is again, quite poor, when it comes to networking) this will involve placing my honeypot system in the DMZ on my network. I've never done this before.

I was thinking, initially, that I could enforce the DMZ in two ways:

statically map the IP at the router, designating the DMZ machine

likewise, block out the MAC address from the rest of the LAN

When I thought about it some more, though, I began to doubt that plan. Could not a rogue user with root access 1) change his static IP and 2) flash the MAC? Would that get him out of the DMZ and onto my home network?

The above may be a bunch of nonsense. Again, this is a blind-spot for me. Please forgive me if I've wasted your time with a very dumb question :)

4 Answers
4

Especially given your lack of network experience, that sounds like a substantial risk to your home network to me :) Alternatively you could deploy it in the cloud for not much money and watch it there.

See DMZ (Wikipedia) for background and other answers here for tips on designing DMZs. Unless you have a real firewall node providing network separation between your DMZ network and your home network, it isn't really a DMZ.

I hadn't thought about deploying to the cloud, but that's a great idea. I'd rather not jeopardize my home LAN, as you've said, and the machines I'm protecting for work will ultimately be deployed on Amazon EC2, so that's perfect. I think this is how I'm going to proceed. Thanks!
–
chrisallenlaneMay 22 '11 at 18:15

There are many ways to gain experience. You could follow metasploit's guide to How to set up a penetration testing lab, then attack the systems yourself and observe if and how the logging or security tools detected your activities.

For learning purposes, it's far easier to follow the cause and effect when doing the above.

As nealmcb suggests, given your lack of network experience that is evident, I'd also advice against trying to run a high interaction honeypot.

There are other solutions you may try, but it all depends on what you want to monitor exactly. There are ready made honeypot implementations out there with log and keystroke capturing and everything, but they are specific to a task you want to focus.

For example, malware researchers that try to capture new worms use different techniques than people trying to see what kind of shell commands one may try if he gets root in a linux system. Also, other people prefer to have a honeypot for monitoring web site scanner actions to see new kinds of sql injection attempts or other abuse. Do you want to capture uplodaded files, command logs, audit records, or even take regular memory dumps? Some honeypots emulate specific deamons only, other emulate complete operating systems, others are just kernel modules for use in regular operating systems.

From the looks of it, you seem like you want something more in the area of Sebek.